MailEnable .NET web mail and web administration do not function on a Windows 2000 Domain Controller

SYMPTOMS

MailEnable
.NET web
mail and web administration do not function on a Windows 2000 Domain Controller.

CAUSE

There
are some issues associated with getting ASP.NET working on Windows 2000 domain
controllers. These issues are widely experienced and seem to stem from
the fact that it is generally not advisable to run ASP.NET applications on a Domain Controller.

By default, a
Windows 2000 Domain Controller has the ASP.NET identity account configured
as the IWAM_COMPUTERNAME account (as opposed to the ASPNET account that is typically
used for ASP.NET). By default, this account does not hold the necessary
rights to facilitate running ASP.NET applications - hence requiring system changes to
get ASP.NET to work on domain controllers.

RESOLUTION

Here is what can be done to make ASP.NET functional on
a Windows 2000 DC.

IMPORTANT: Follow
this procedure if experiencing issues with a Windows 2000 Domain Controller. It
is also advisable to review the Microsoft Knowledge Base in order to understand the
rationale behind the changes made to the system.

Step 1: Setting Domain Controller User Rights
Policies

Under Start|Programs|Administrative Tools you should
access the Domain Controller Security Policy for the server.

Then grant IWAM_COMPUTERNAME the following
rights:

Impersonate a client after
authentication

Logon as a service

Logon as a batch job

Step 2: Setting Domain Local User Rights
Policies

Under Start|Programs|Administrative Tools you should
access the Local Security Policy for the server.

Then grant IWAM_COMPUTERNAME the following
rights:

Impersonate a client after
authentication

Logon as a service

Logon as a batch job

Step 3: Apply Policy
changes

To make these changes effective, run these
commands from the Windows command prompt: